]] Adrian Bunk > Or did this start as a coordinated effort of several major Linux > distributions covering all TLS implementations?
While not speaking for Kurt, there's been a move towards getting rid of TLS < 1.2 for quite some time, by reasonably important players such as the PCI-DSS consortium which announced in 2015 that June 2016 would be the deadline for disabling older TLS versions. As we all know, we're past that date now, and TLS < 1.2 is still around and entirely too well-supported. The PCI consortium extended the deadline until June 2018. Assuming that deadline holds, people with older machines will not be able to access services such as online banking or pay online in general. I'm hoping they won't extend the deadline again, but they're pragmatic. As they write in their press release: “…in the field a lot of business issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date.” > Nothing that Debian does alone will have any measurable impact > on TLS 1.0 usage. I think you're wrong on this point, having Debian make this change makes it a lot easier for me to go to company management and explain that TLS v1.2 is the only way forward and that we need to spend engineering resources to make sure any users on platforms where support for that is lacking get a proper notification and a chance to move to something newer. «We need to do this because this change is coming, whether we want it or not.» -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are